It was thus said that the Great Charles Iliya Krempeaux once stated: > A number of things to reply to. I wasn't sure whether to reply to > everything in one giant e-mail, or to reply in separate e-mails (that could > turn into their own separate threads). I think I'll create a small number > of separate replies to make it easier for others to follow. > > Regarding: > gopher:// > zaibatsu.circumlunar.space/0/~solderpunk/phlog/why-gopher-needs-crypto.txt > > I think the main topics of this is: > > №1: being able to detect (or prevent) content modification, and > > №2: being able to protect one's privacy and make spying very difficult (if > not impossible). > > (Please correct me if I missed anything.) > > Let's get technical about this — > > I haven't read the Gopher spec in a long time, so don't recall whether > there is something technical that would prevent it, but — Yes there is: <http://boston.conman.org/2019/03/31.1> Basically, it's hard to retrofit TLS into gopher without breaking existing clients. You could possibly force it, <http://boston.conman.org/2021/09/28.1>, but there are security concerns about forced downgrades. > One could try to use content-addressing to try to detect content > modification. > > For example, there could be a convention created (and Gopher clients > modified) such that the path in the gopher URL would contain a digest (from > a cryptographic hash function) of the content. For example: > > gopher:// > example.com/content/base64/sha3-512/ld7McvClCuTZ1TeOGyJSWHz8cZd+QyksjxuEZ IJIUJ8bwYvG8LDQuGBqZD7/YdYRroTm+9SiaDFlcGvW/UizNA== > > Notice that there are three main parts to this: > > • base64 > • sha3-512 > • > ld7McvClCuTZ1TeOGyJSWHz8cZd+QyksjxuEZIJIUJ8bwYvG8LDQuGBqZD7/YdYRroTm+9Sia DFlcGvW/UizNA== > > The gibberish is base64 encoding of the digest of a sha3-512 hash function. > > (One could use base64url if they didn't want the gibberish to have the "/" > symbol.) > > Someone would need to modify Gopher clients to recognize that type of > gopher URL, and then, once the data is downloaded, verify that its digest > matches the digest in the URL. There's an awful large number of gopher clients that would need updating, and probably won't. Also, this topic might be better discussed on the gohper mailing list: <https://lists.debian.org/gopher-project/>. > And encryption (such as TLS, mentioned in the document) could help prevent > the spying to help protect privacy > > (Although there are other options than just TLS.) And as I've stated before, present both a server and client as a proof-of-concept, then it can be discussed. Until then, it's a no go (at least, that would be my stance but I stepped down from Gemini development). -spc
---
Previous in thread (5 of 14): 🗣️ Charles Iliya Krempeaux (cikrempeaux (a) gmail.com)
Next in thread (7 of 14): 🗣️ Sean Conner (sean (a) conman.org)